NodeJS OAuth2.0 原理 [英] NodeJS OAuth2.0 principles

问题描述

最近我在做一个 nodeJS 项目，我在思考如何着手和实现我的移动应用程序的安全模块.我以前在 C# 项目中使用过 OAuth 2.0 协议的经验.

Recently I was working on a nodeJS project and I was thinking how to go about and implement the security module of my mobile application. I had a previous experience from OAuth 2.0 protocol which I used in C# projects in the past.

.NET 中有两个不错的开源项目

In .NET there are two nice open source project

1. https://github.com/thinktecture/Thinktecture.IdentityServer.v3
2. https://github.com/thinktecture/Thinktecture.AuthorizationServer

前者是支持联合身份验证的身份提供者，后者是 OAuth 2.0 提供者.

The former is an Identity Provider supporting federated authentication and the later is an OAuth 2.0 provider.

所以我决定为我的 nodeJS 应用程序使用相同的安全基础设施.但据我所知，没有什么能与这些项目相提并论.

So I decided to employ the same security infrastructure for my nodeJS app. But as far as I know, there is nothing equivalent to those projects.

我发现了一些非常好的项目，这些项目还没有完成，但这是一个好的开始:

I found some really nice project, which are not yet complete but are a good start:

• https://www.npmjs.org/package/node-oauth2-server
• https://github.com/domenic/restify-oauth2

此外，我看到了一篇很好的文章，它提出了一种在 nodeJS 中处理身份验证的好方法.https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/ 以及对 stackoverflow 上的问题的类似回答.网站和自有网站之间的身份验证应用程序接口

In addition, I came across a nice article that suggests a nice way to deal with authentication in nodeJS. https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/ and a similar answer to a questtion on stackoverflow. Auth between a website and self-owned API

据我所知，expressJwt 保护我们的 api，基本上会验证用户发送的访问令牌.但我想更进一步，将令牌与特定于应用程序的范围相关联，就像使用 OAuth2.0 协议一样.例如，我想分配写入、读取等范围，并让 expressJwt 检查用户的令牌是否具有作为特定 API 端点访问所需的范围.

From what I understood, expressJwt guards our api's and basically will validate the access token sent by the user. But I'd like to go a step further, and associate a token with app specific scopes, in a similar way that one would do with the OAuth2.0 protocol. So for example, I would like to assign a write, read etc. scopes and have expressJwt check if the user's token has the required scopes to access as specific API endpoint.

如果您能就如何处理这个话题向我提供一些建议，我将不胜感激.

I would be grateful if you could provide me with some suggestions about how to deal with this topic.

推荐答案

首先，您需要生成具有此类声明的令牌.这可能在 API 或其他地方:

First, you need to generate a token with such claims. This could be in an API or some other place:

var jwt = require('jsonwebtoken');

var claims = {
  name: user.name
  can_write: true,
  can_post_timeline: false
};

var token = jwt.sign(claims, 'my-super-secret');

然后，为了验证您将执行以下操作:

Then, to validate you will do something like this:

var jwt = require('express-jwt');

app.use(jwt({secret: 'my-super-secret'}));

function require_time_line_access (req, res, next) {
  if (!req.user.can_post_timeline) return res.send(401);
  next();
}

app.post('/timeline', 
  require_time_line_access,
  function(req, res) {
    //do timeline stuff
  });

express-jwt 验证令牌的签名、到期时间和其他一些事情.如果一切正常，则将解码后的令牌放入 req.user，如果不正常则返回 401.

express-jwt validates the signature of the token, expiration and few other things. If everything is okay it puts the decoded token in req.user, and if is not okay it returns 401.

require_time_line_access 是确保用户拥有此声明的中间件，如果没有，则返回 401.您可以将此中间件放在需要此声明的每个端点中.

require_time_line_access is a middleware that ensure the user has this claim, if it doesnt it returns 401. You can put this middleware in every endpoint that needs this claim.

这篇关于NodeJS OAuth2.0 原理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！